| As early as in the1960s, virtualization technology has been used in large-capacity server; IBM is the first to use this specific technology to increase a new layer of the space on the server for virtualization. It has some difference from the past a hardware and software functions. On the one hand it can obtain the request that the software application layer do with the other layers, on the other hand, it will do a new exposition and change to these requests, after the collaboration of two, it reach jointly and provide some new features. With the development of related technology, and hardware, especially in large machines and cluster systems, PC gained a good opportunity from large servers.Virtualization has its own unique characteristics. It can cross the restrictions of platform, share and provide a variety of services for a variety of different hardware, in particular, the use of virtualization also will provide their own personal service space for individual PC users; in addition, virtualization technology can make efficient use of server resources through server virtualization; Because of the isolation of virtualization spaces, it will not interfere with each other and improve the operation of the various systems stability.A goal of Virtualization technology is to make full efficient use of previously idle server resources, and reduce the costs. Through the server virtualization to run multiple virtual machines, it provides multiple layers of services, for example, we can put some communication-intensive software services in different virtual machines. At this time, the frequency of communication between the various virtual machines will urgent.This paper focuses on the communication of between the XEN virtual machines. Through the analysis of its unique characteristics of the communication path, and the use of encryption and decryption about the communications information in the communication path, we can enhance the security of the information.When the different of virtual machine in XEN need to communicate, one needs to consider two cases:1, two virtual machines on the same physical host;2, two virtual machines located on a different physical host. In the first case, the message is transmitted to the virtual machines’front-end firstly, and then transferred to the back-end of the privileged virtual machine. After the process of privileged virtual machine, the information will be back to the back-end of privileged virtual machine, and then be forwarded to the front-end of guest virtual machine. Until the message arrives at the destination virtual machine application layer, we say that the communication is completed. The second situation is different with the first. The message arriving privileged virtual machine will be driven by the native NIC and then be sent to the real NIC. The same way, another physical host accepts the message, and the message will eventually reach the destination virtual machine. As the communication between the real physical machines, cross-domain virtual machine communication will also have to face the threat of information, such as, intercepted and so on.In order to protect the security of information of the communication between the virtual machine, this paper, based on the basis of its own virtualization, and combined with the characteristics of the virtual machine communication, designs and implements an encryption and decryption modules which are based on Linux kernel module features and the net-filter hook function. We extracted the information of the virtual machines on a communication path, and do the processing of encryption and decryption. Above all, the modification of the original code should be as small as possible, while it can effectively improve the security of communication.Finally, taking into account of the burden of module processing to the performance, the paper also does some programs to test and analysis. Respectively, related information, compared with unplaced module from latency, CPU utilization and so on, indicates that the influence of the relevant performance in the acceptable range, when we put the encryption and decryption modules in the communications between the virtual machine. |
PDF Full Text Request